As Complexity Challenges Security, Is Time the Solution?Black Hat Europe Speakers Focus on Upsides of Failing Faster as Complexity Mounts
"Who here thinks your network or environment will become more complex next year?"
So asked cybersecurity veteran Jeff Moss, kicking off this week's Black Hat Europe conference briefings in London.
"Complexity leaves me in a very depressing place; complexity is just forever increasing," said Moss, who's the founder of Black Hat and regularly opens the conference by detailing leading challenges as well as potential solutions.
For addressing complexity, he said, "time has got me pretty excited." Simply put, being strategic about doing things faster - including detection and recovery - gives organizations one tactic to blunt the impact of increased complexity.
Not all complexity involves technological evolution, such as malware built to better evade defenses, or criminals wielding zero-day exploits. Researchers debuted last week ChatGPT, a prototype, conversational AI chatbot that can sometimes appear to be human.
This means added complexity for security professionals, since many security tools use attackers' poor command of English to detect and block phishing attacks. Expect criminals to soon use tools such as ChatGPT to write lures that seem to have been crafted by a native speaker, said Daniel Cuthbert, a veteran cybersecurity researcher who's a member of the U.K. government's new cyber advisory board.
For Cuthbert, the success of phishing attacks points to larger problems with vendors and developers failing to better eliminate bugs, simplify and trim their code bases and disable often-abused features. "For me, phishing is a systematic problem of where we are as an industry, in that you should be able to click on something and not have it push a reverse shell out to somebody else," he said.
Observe, Orient, Decide, Act
Since complexity comes in many different shapes and sizes, Moss recommends focusing on time via the decision-making loop OODA - for observe, orient, decide, act - to either succeed or to "fail faster and break things."
Moss added: "The faster you can observe, orient, decide or act, the faster you're able to spin that cycle. The faster you spin the cycle, the more you can be ahead of an adversary."
To put this into practice, he recommends that security professionals every quarter pick key, time-based metrics to address. For example, in this era of rampant ransomware attacks, how long does it take to restore a backup?
Restoration will never be an instantaneous process, and even restoring numerous systems in one day is probably a stretch. But if they can make small savings in time in advance of a crisis, Moss said, they might be able to more easily weather the crisis and recover.
If an organization knows it can restore working backups in two days and believes it can "string along" ransomware attackers for three days, that provides more leeway to see if the backups work before deciding if they must, after all, pay the ransom to recover data, Moss said. Not that he's a proponent of paying ransoms, "but you now have options," and not least among them is providing leadership with confidence about what can be achieved and when.
If restoration takes five days and negotiations can only be sustained for three, "all of a sudden, your leadership starts thinking, 'Maybe we should pay the bad guy some money just in case,'" he said.
The overriding goal of focusing on time is to more quickly either succeed or fail. "We can use time in so many ways to help our enterprises," Moss said. "A lot of harm that's caused online can be addressed, if we only act faster."
Knowing what an organization needs to do more quickly and finding ways to do that is a repeat theme throughout the conference so far, including at the standing room-only briefing "Confidence in Chaos: Strategies for World-Class Security Operations."
Speaker Kathryn Knerler, senior principal cybersecurity architect in MITRE Labs' Cyber Solutions Innovation Center, shared a story about working in a security operations center that received an alert from an external source saying that it had been hacked. But neither the SOC nor the IT department - which maintained the asset inventory - had any record of the IP address.
Eight hours later, the SOC was finally able to verify the hack report. "It was a research organization that had set up this little, rogue network and not told IT or asset inventory," she said. "If you were listening about timing this morning, eight hours is a long time if you're doing incident response."